On Tue, Jun 4, 2019 at 9:26 AM Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > > On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote: > > Do not allow an enclave page to be mapped with PROT_EXEC if the source > > page is backed by a file on a noexec file system. > > > > Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> > > Why don't you just check in sgx_encl_add_page() that whether the path > comes from noexec and deny if SECINFO contains X? > SECINFO seems almost entirely useless for this kind of thing because of SGX2. I'm thinking that SECINFO should be completely ignored for anything other than its required architectural purpose.
